In the old days, crooks followed transport trucks and hijacked them. Today they use phishing, vishing and identity theft to find and divert valuable cargo via logistics systems.
It’s a challenge for IT and infosec leaders to keep up.
The latest example of these tactics is a new campaign by cybercrooks using spear phishing-delivered malware to hack into the IT systems of freight companies to steal cargo.
Proofpoint, which discovered the campaign, warned IT and infosec leaders in the transportation sector this week of the new phishing campaign, mostly aimed at North American freight firms, that has been active since at least June but possibly was active as early as January.
“The actor has delivered a range of RMM [remote monitoring and management] tools or in some cases remote access software including ScreenConnect, SimpleHelp, PDQ Connect, Fleetdeck, N-able and LogMeIn Resolve,” says the report.
“These RMMs/RAS are often used in tandem; for example, PDQ Connect has been observed downloading and installing both ScreenConnect and SimpleHelp. Once initial access is established, the threat actor conducts system and network reconnaissance and deploys credential harvesting tools such as WebBrowserPassView. This activity indicates a broader effort to compromise accounts and deepen access within targeted environments.”
How it works
To begin with, the crooks try to compromise a broker load board, an online marketplace where trucking firms can bid on loads. They may post an offer of a fake load, or insert themselves in the middle of an email conversation between a carrier and a firm looking for a trucker to deliver a load. When a carrier responds by email, the crooks reply with a message that includes an infected attachment that leads to the installation of the remote access malware. Then the crooks can bid on real cargo loads, which they then try to steal.
Another strategy is to pretend to be a legitimate transport company and ask a customer to send a payment to a bank account controlled by the crook.
One company described on Reddit how it was compromised earlier this year: A supposed broker emailed a ‘setup’ link to the carrier’s dispatcher. When it was clicked, it led to their email being compromised, after which existing bookings were deleted and dispatcher notifications were blocked. The crook added their own device to the dispatcher’s phone extension, booked loads under the compromised carrier’s name and coordinated the transport. The gang then tried and failed to steal eight truck loads of goods in California after the victim firm realized what was happening and drivers were alerted. However, several weeks later, another transportation company was hit in the same way, suggesting the gang had moved on to other firms.
Phishing attacks like that work because the attachment a victim is asked to download can appear to be a legitimate piece of software that will fool a sales employee or dispatcher. It may also evade antivirus or network detections because the installers are often digitally signed.
In an interview, Selena Larson, a co-author of the Proofpoint report, says the scheme also works because the trucking industry needs salespeople and dispatchers to act fast on proposed offers. Pushing targets to act fast is an essential strategy for many phishing campaigns.
The attack strategy described in this week’s Proofpoint report isn’t new: The company’s researchers issued a similar warning last September about email campaigns aimed at transportation and logistics companies that often used messages with Google Drive URLs leading to an internet shortcut (.URL) file, or a .URL file attached directly to the message. If executed, it uses the server message block (SMB) file sharing protocol to access an executable on a remote share, which installs the malware.
In the new campaign, a threat actor has added the use of remote access tools. Proofpoint isn’t sure if the same threat actor is behind both campaigns.
Larson agreed both campaigns are similar to targeted phishing attacks against a wide range of industries that have been going on for years, and involve trying to trick an employee into clicking on a malicious link or document.
Proofpoint says it has seen nearly two dozen campaigns since August targeting logistics companies to deliver RMMs. The threat actor does not appear to attack specific sizes of companies: Targets range from small, family-owned businesses to large transport firms.
Value of stolen shipments has doubled
It’s hard to determine the size of this IT-related cargo theft problem. The US National Insurance Crime Bureau estimates cargo theft losses from all sources increased 27% last year compared to 2023, to $35 billion.
Versik CargoNet, a company that tracks physical supply chain crime for law enforcement agencies, insurance companies, and distributors in the US and Canada, estimated in its Q3 report that the most recent quarterly losses due to theft were more than $111 million from 772 cargo theft events. Because there isn’t mandatory reporting of thefts, the true number would be larger. About 40% of that $111 million total could be IT-enabled fraud, said Keith Lewis, Versik CargoNet’s vice president of operations. That includes phishing, smishing, stealing of internet domains, spoofing, buying legitimate companies to abuse their names and more.
Hacking ERP systems to re-direct freight isn’t happening yet, he added.
The average stolen shipment value doubled to $336,787, up from $168,448 in Q3 2024, “clear evidence that cargo thieves are becoming more strategic in selecting targets,” the Versik CargoNet report says.
“Organized crime groups are in a transitional phase, adapting to anti-fraud tools deployed across the logistics industry,” the report adds.
Once criminals know where trucks are going, the most common locations for cargo theft are truck stops and parking lots, distribution centers and warehouses, ports and rail yards, highways and rest areas, it said.
‘Classic phishing’
Robert Beggs, head of Canadian incident response firm DigitalDefence, calls the Proofpoint report a description of “a classic phishing scheme, but one that is particularly successful due to the nature of logistics operations.”
Although this is a new variant of previous campaigns, those attacks have also been successful because trucking is a round the clock operation that is largely remote, he said, so endpoints may not always have connectivity and facilities in place to ensure trust. The risk is increased because this is an industry that is time-sensitive, he pointed out. A trucker with a load has to obtain approval to move, ensure papers are in order, and have sufficient cash on hand to meet immediate demands.
“Together, these factors are tailor-made to support social engineering attacks,” he said.
Trucking may appear to be a low-tech industry, Beggs noted, because generally it avoids strong cybersecurity controls. However, its operations demand that such controls exist, especially when it comes to advancing funds or controlling information about high-value loads. At a minimum, firms in this sector must use multi-factor authentication for logins and ensure access to critical systems is monitored for proper use and the presence of any anomalies. Some companies use code words or expressions in messages to identify critical loads for an extra level of privacy, he added.
“Truckers have always been perceived to be a weak link, especially due to their limited practice of cybersecurity,” Beggs said. However, they are a critical part of any nation’s infrastructure and will likely continue to be targeted by social engineering and other attack types.
Vulnerable TMS systems
Danielle Spinelli, a former transportation broker and now account executive at Descartes Systems Group, which sells broker, transportation management, and ecommerce solutions, often speaks to the industry on cybersecurity and cargo theft.
She said one problem is the large number of ‘fly-by-night’ TMS (transportation management systems) that can easily be hacked. TMS providers have customer and truck load information that crooks want. Another point of vulnerability, she added, is poorly-secured ELD (electronic log device) providers that can be hacked or provide an entry point to TMS systems. ELDs are devices in trucks that automatically record a drivers’ driving time, duty status, and other information.
At greatest risk are one or two person cargo hauling firms who do business through free email accounts, Spinelli added.
The US Federal Motor Carrier Safety Administration (FMCSA) is implementing anti-fraud initiatives that IT departments can leverage, she said. That includes requiring new commercial driver applicants to match their government documents with a facial scan. She also recommends logistics companies use technology platforms that combine FMCSA authority data with historical tracking performance, vehicle identification number verification, geo-location, and insurance validation before a truck is dispatched.
The problem of cargo theft is increasingly getting the attention of the C-suite, said Versik CargoNet’s Lewis. They are now pushing for their security departments to hire IT people who have the same skills as those who work for financial institutions for tracing fraud and theft.
As for the future, he worries that crooks will make increasing use of AI to enable their cyber attacks.
Need for Cybersecurity 101
The industry is adopting technology solutions to combat cargo theft; for example, CargoNet just launched RouteScore API, which uses an algorithm to create a cargo theft route risk score for US and Canada.
But what’s also needed is Cybersecurity 101. Spinelli of Descartes says the first thing IT and infosec leaders should do is increase employee security awareness training about how to recognize phishing attacks and the need to resist the urge to click on every attachment. They should require admins and users of logistics-related applications to reset their admin and user passwords every three to six months. And companies should make sure there are good off-boarding procedures to cancel IT access when an employee leaves the firm.
Proofpoint urges firms in the cargo transportation sector to:
restrict the download and installation of any RMM tooling that is not approved and confirmed by an organization’s information technology administrators;
have network detections in place – including using the Emerging Threats ruleset – and use endpoint protection. This can alert of any network activity to RMM servers;
not allow employees to download and install executable files (.exe or .msi) from email or texts from external senders;
train employees to identify and report suspicious activity to their security teams. This training can easily be integrated into an existing user training program.
No Responses